Transport operators need to be aware of all the implications of the General Data Protection Regulation (GDPR), which comes into force in May of next year, Paul Currie, partner at DFA Law, told delegates at the Microlise Transport Conference.
This legislation will replace the Data Protection Act of 1998 which gives individuals control over what information is held on them by organisations.
“Fines are more likely to be imposed under the new act and breaches will be more difficult to defend,” he warned.
Those fines will be of up to €20 million or four per cent of global revenue in the previous financial year, whichever is the highest, and the legislation applies worldwide to any organisation holding data on any EU citizen.
Currie cautioned that Brexit would be most unlikely to remove this protection from UK citizens, and even if a post-Brexit government repealed the legislation it would be likely to replace it with laws which would “mirror GDPR”.
“A lot of telematics data which transport companies hold or have held on their behalf will be personal data and in the scope of GDPR,” he warned.
However: “A business which follows current best practice will probably manage to remain compliant with the new legislation.
“Accountability is the key,” he explained.
“GDPR means you will be expected to have systems in place to minimise breaches, and you will need more processes and formal procedures than you are likely to currently have in place. I’d recommend that most organisations will need to appoint a data protection officer.
“GDPR makes processors as well as controllers responsible for any data breaches.”
When it came to gathering individuals’ data: “Consent must be freely given, informed and unambiguous. It can’t just be included as a tick box item in terms and conditions.
“Consent to hold an individual’s data can be withdrawn by that individual at any time, and they have a right to erasure. Individuals will be able to launch complaints and claims for damages against companies that hold or have held or processed their data.
“Data captured by in-cab systems is potentially covered by the act, and you may be responsible if data you have gathered is hacked by a third party.”